[Openswan Users] Controlling XFRM policies to prevent spoofing

Paul Wouters paul at xelerance.com
Thu Jan 11 15:58:44 EST 2007 

On Thu, 11 Jan 2007, Michael Smith wrote:

> I'm using openswan 2.4.7 and netkey (kernel 2.6.18.3). I am trying to
> figure out how to create IPsec policies to require that inbound traffic
> from certain IP ranges can only be forwarded if it came in over IPsec.

If you have a tunnel definition, then all plaintext packets for those IP's
will always be dropped. KLIPS does this for sure. If NETKEY does not, it
needs fixing.

> This is a little dangerous, because although 10.20.1-101 will be protected
> by kernel IPsec policies, 10.20.101-255 would be wide open. Someone on the
> Internet could inject packets claiming to come from 10.20.101.1, and
> if they controlled the ISP's routers, they could even get replies.

All your border gateways to your ISP should be dropping
all 10/8 incoming packets from the ISP routers. Once they are inside your
network, irt becomes much harder to judge if they were spoofed or not.

> conn dummy
> 	leftsubnet=10.10.1.0/24
> 	rightsubnet=10.20.0.0/16
> 	#
> 	left=127.0.0.1
> 	leftnexthop=99.99.99.99
> 	leftid="/CN=not going to work"
> 	right=127.0.0.2
> 	rightnexthop=99.99.99.99
> 	rightid="/CN=also not going to work"
> 	#
> 	auto=route
>
> This actually works, and creates XFRM policies preventing the main office
> subnet (10.10.1.0/24) from sending replies to unused satellite
> subnets (10.20.101-255).
>
> # ip xfrm policy show
> ...
> src 10.20.1.0/24 dst 10.20.0.0/16
>         dir out priority 2348
>         tmpl src 0.0.0.0 dst 0.0.0.0
>                 proto esp reqid 0 mode transport
>
> But it still allows spoofed packets from 10.20.101-255 to be forwarded to
> 10.10.1.0/24. Is there a way to trick Openswan into creating dummy
> policies that would block those inbound packets? I could create the XFRM
> rules by hand, but I think Openswan might delete them at any time, right?

It should only delete those it creates. But how is openswan to know whether
a packet was spoofed or wether it was genuine? The basic method for this is
to drop all 10/8 packets coming in on any router you control in plaintext,
except for the network that has the particular 10/24 network. Packets coming
in through ipsec already passed the proper tunnel checks, so you shouldn't
be relaying spoofed packets within your network.

Paul

More information about the Users mailing list